1. The Field of the Invention
The present invention generally relates to virtual private networks (VPN), and in particular to an efficient way of accessing a VPN.
2. Background and Relevant Art
VPNs are an attractive cost-efficient alternative to wide area networks (WANs). A VPN basically allows a remote site or client to connect to a private network via a public network (usually the Internet). Once connected, the remote site or client appears as a local part of a private network—hence the designation virtual private network. A well-designed VPN can greatly benefit a company. For example, it can extend geographic connectivity, improve security, reduce operational costs versus traditional WAN, reduce transit time and transportation costs for remote clients, improve productivity, simplify network topology, and provide global networking opportunities.
There are two common types of VPN systems: remote-access and site-to-site. Remote-access, also called a virtual private dial-up network (VPDN), is a client-to-LAN (Local Area Network) connection used by a company that has employees who need to connect to the private network from various remote locations. Remote-access VPNs permit secure, encrypted connections between a company's private network and a remote client, often through a third-party service provider. Site-to-site VPNs make use of dedicated equipment and large-scale encryption to connect multiple sites over a public network such as the Internet. Site-to-site VPNs can be either intranet-based or extranet-based. Regardless of the type of VPN, a well-designed VPN incorporates security, reliability, scalability, network management and policy management.
VPNs use several methods for keeping connections and data secure. Typically this involves some type of encryption or firewall, or both. Encryption is the process of taking data that one computer is sending to another and encoding it into a form that only the other computer will be able to decode. Typical computer encryption systems belong to one of two categories: symmetric key encryption or public key encryption. In symmetric key encryption, each computer has a secret code it uses to encrypt a packet of information before it is sent over the network to another computer. The computer receiving the encrypted packet of information must also know the secret code in order to decode the message.
Public key encryption uses the combination of a private key and a public key. The private key is kept secret, whereas the public key generally is accessible to anyone who asks for it. The private key and public key are related in that the one decrypts data that is encrypted by the other. Accordingly, data that can be decrypted by the public key indicates that a holder of the corresponding private key encrypted the data, and therefore identifies the holder of the corresponding private key as the source of the encrypted data. Similarly, by encrypting data with the public key, the sender
A common use of public key encryption involves Secure Sockets Layer (SSL). SSL is an Internet security protocol used by Internet browsers and web servers to transmit sensitive information. SSL uses a security handshake to initiate the secure session over a TCP/IP connection. During the handshake, information for determining symmetric encryption/decryption keys is exchanged using public key encryption. This handshake results in the client and server agreeing on the level of security they will use. After the handshake, SSL encrypts and decrypts the bytestream of the application protocol being used, e.g., http, nntp, telnet, etc. This means that all the information in both the http request and response is fully encrypted, including the URL, the client request, all submitted form contents (e.g., credit card numbers), any http access authorization information (e.g., client name and passwords) and all data sent from the server to the client. SSL and other protocols such as Transport Layer Security (TLS) operate at upper network protocol layers.
Another form of VPN security is known as Internet Protocol Security (IPSec). When combined with a key negotiation technology such as Internet Key Exchange (IKE), IPSec provides enhanced security features such as more comprehensive authentication ability to secure non-TCP traffic. Only systems that are IPSec compliant, therefore, can take advantage of this protocol. Unlike SSL and TLS, IPSec operates at lower network protocol layers.
Of course, VPNs are not suitable for all types of network access. For example, access to a public web site, transferring Internet email, and other types of access are expected to originate external to a private network and without authentication. For normal operation, therefore, certain types of external and unauthenticated access need to be supported. Allowing external access to a private network, however, introduces a variety of security risks.
A firewall provides a strong barrier between a private network and another network, such as the Internet, which are typically within different trust domains. To address the security risks introduced by external access, a firewall may restrict the number of open ports, what type of packets are passed through, and which protocols are allowed.
A firewall may be a combination of software and/or hardware that filters the information coming through the external network connection into a private network or computer system. If the filters flag an incoming packet of information, it is not allowed through. Typical firewalls use one or more of three techniques to control traffic flow into and out of a network, which include static packet filtering, proxy service, and/or dynamic packet filtering. Static packet filtering, as its name implies, analyzes chunks of data against a set of filters. Packets that make it through the filters are routed appropriately, whereas all others are discarded. If a proxy service is used, information from the network is retrieved by the firewall and then sent to the requesting system and vice versa. A newer technique that doesn't examine the contents of each packet, but instead compares certain key parts of the packet to a database of trusted information, is known as dynamic packet filtering. Information traveling from inside the firewall to the outside is monitored for specific defining characteristics. Incoming information is then compared to these characteristics. If the comparison yields a reasonable match, the information is allowed through. Otherwise, it is discarded.
While VPNs are an attractive alternative to WANs, there currently exist various shortcomings to using a VPN server for remote access. For example, if a client wishes to connect to both the web and the private network through a VPN, all network traffic must pass then through the VPN. This creates, however, efficiency, privacy compatibility problems. Efficiency problems are created because the connection must first go through the private network and then back out to the web. Accordingly, unnecessary traffic gets routed through the private network. Privacy issues are also created because such web surfing may be in violation of network policy. Even if, however, a connection existed to the Internet supporting such application with efficiency and privacy, this connection would not be used because all data is forwarded through a firewall of the network to which VPN is connected, thereby resulting in connectivity problems as well.
Current VPN use also often results in multiple gateways, each for disjointed networks. Multiple VPN gateways may undermine security and also may result in connectivity problems. For example, because a VPN client appears to be locally connected to the VPN, the client cannot participate in multiple VPN connections at once. Accordingly, if a client wishes to download information from one network to a separate network, the client must first establish a connection with the first VPN server, download the information to the client's storage, disconnect with the first VPN server, make a VPN connection with the second VPN network, and then download the information from the client's storage to the second network server. This creates a tremendous amount of inefficiency in both time and memory management.
Another disadvantage of current VPN systems is the complexity of tracking various VPN gateways within a private network. Clients are required to know certain configuration information for each VPN gateway, e.g., IP address, authentication information, etc. In addition, the client may not know, or it may not be intuitive, which VPN gateway must be used to access a particular server within the private network. As LAN configuration changes, clients may need to be promptly updated with new settings to facilitate continuing VPN access.
Accordingly, there exists a need for a transparent VPN, which will allow a client access to a network without necessarily requiring all information requested by or sent from the client to pass through the network. Further, there exists a need to be able to access more than one network simultaneously and to simplify access to a private network without undermining security needs.